rpms/cups
5
0
Fork 0
Code Issues Pull Requests Releases Activity

provide a way how to opt-out from system crypto policy if needed

Browse Source 
Resolves: RHEL-68415
This commit is contained in:
Zdenek Dohnal 2025-01-07 18:32:03 +01:00
parent 8cc4676c65
commit b0d51ff6a2
2 changed files with 193 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
0001-Add-NoSystem-SSLOptions-value.patch Normal file
View File

@ -0,0 +1,183 @@
From 40e62848ab3aa94b98dfaf1334e1c478c266bc73 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Tue, 7 Jan 2025 15:12:15 +0100
Subject: [PATCH] Add `NoSystem` SSLOptions value
In case using system crypto policy breaks communication with device
irreversibly (f.e. if device does not support better key exchange
algorithm), the new option value gives a way how to opt-out from crypto
policy if user do not want to change default system crypto policy for
the whole machine.
---
CHANGES.md | 1 +
cups/http-private.h | 3 ++-
cups/tls-gnutls.c | 7 ++++++-
cups/usersys.c | 2 ++
doc/help/man-client.conf.html | 3 ++-
doc/help/man-cupsd.conf.html | 5 +++--
man/client.conf.5 | 3 ++-
man/cupsd.conf.5 | 3 ++-
scheduler/conf.c | 2 ++
9 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/cups/http-private.h b/cups/http-private.h
index 5f77b8ef0..f248bbb8d 100644
--- a/cups/http-private.h
+++ b/cups/http-private.h
@@ -131,7 +131,8 @@ extern "C" {
# define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */
# define _HTTP_TLS_ALLOW_DH 2 /* Allow DH/DHE key negotiation */
# define _HTTP_TLS_DENY_CBC 4 /* Deny CBC cipher suites */
-# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */
+# define _HTTP_TLS_NO_SYSTEM 8 /* No system crypto policy */
+# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */
# define _HTTP_TLS_SSL3 0 /* Min/max version is SSL/3.0 */
# define _HTTP_TLS_1_0 1 /* Min/max version is TLS/1.0 */
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 719161da7..e8224b217 100644
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -1285,6 +1285,8 @@ _httpTLSStart(http_t *http) /* I - Connection to server */
DEBUG_printf(("3_httpTLSStart(http=%p)", http));
+ priority_string[0] = '\0';
+
if (tls_options < 0)
{
DEBUG_puts("4_httpTLSStart: Setting defaults.");
@@ -1504,7 +1506,10 @@ _httpTLSStart(http_t *http) /* I - Connection to server */
return (-1);
}
- strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string));
+ if (!(tls_options & _HTTP_TLS_NO_SYSTEM))
+ strlcpy(priority_string, "@SYSTEM,", sizeof(priority_string));
+
+ strlcat(priority_string, "NORMAL", sizeof(priority_string));
if (tls_max_version < _HTTP_TLS_MAX)
{
diff --git a/cups/usersys.c b/cups/usersys.c
index f752159b0..607587307 100644
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -1608,6 +1608,8 @@ cups_set_ssl_options(
min_version = _HTTP_TLS_1_3;
else if (!_cups_strcasecmp(start, "None"))
options = _HTTP_TLS_NONE;
+ else if (!_cups_strcasecmp(start, "NoSystem"))
+ options |= _HTTP_TLS_NO_SYSTEM;
}
cc->ssl_options = options;
diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html
index 81cd73a1a..9194481bb 100644
--- a/doc/help/man-client.conf.html
+++ b/doc/help/man-client.conf.html
@@ -44,7 +44,7 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n
<b>Note: This directive is not supported on macOS 10.7 or later.</b>
<dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]<b>/version=1.1</b>
<dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
-<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
+<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>] [<i>NoSystem</i>]
<dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
<dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
@@ -57,6 +57,7 @@ The <i>DenyCBC</i> option disables all CBC cipher suites.
The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
The <i>MinTLS</i> options set the minimum TLS version to support.
The <i>MaxTLS</i> options set the maximum TLS version to support.
+The <i>NoSystem</i> option disables applying system cryptographic policy.
Not all operating systems support TLS 1.3 at this time.
<dt><a name="TrustOnFirstUse"></a><b>TrustOnFirstUse Yes</b>
<dd style="margin-left: 5.0em"><dt><b>TrustOnFirstUse No</b>
diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html
index 4fd42f314..4a5395387 100644
--- a/doc/help/man-cupsd.conf.html
+++ b/doc/help/man-cupsd.conf.html
@@ -285,7 +285,7 @@ The default is "Minimal".
<dd style="margin-left: 5.0em"><dt><b>SSLListen [</b><i>ipv6-address</i><b>]:</b><i>port</i>
<dd style="margin-left: 5.0em"><dt><b>SSLListen *:</b><i>port</i>
<dd style="margin-left: 5.0em">Listens on the specified address and port for encrypted connections.
-<dt><a name="SSLOptions"></a><dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
+<dt><a name="SSLOptions"></a><dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>] [<i>NoSystem</i>]
<dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
<dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
@@ -298,6 +298,7 @@ The <i>DenyCBC</i> option disables all CBC cipher suites.
The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
The <i>MinTLS</i> options set the minimum TLS version to support.
The <i>MaxTLS</i> options set the maximum TLS version to support.
+The <i>NoSystem</i> option disables applying system cryptographic policy.
Not all operating systems support TLS 1.3 at this time.
<dt><a name="SSLPort"></a><b>SSLPort </b><i>port</i>
<dd style="margin-left: 5.0em">Listens on the specified port for encrypted connections.
@@ -632,7 +633,7 @@ Require authentication for accesses from outside the 10. network:
<a href="man-subscriptions.conf.html?TOPIC=Man+Pages"><b>subscriptions.conf</b>(5),</a>
CUPS Online Help (<a href="http://localhost:631/help">http://localhost:631/help</a>)
<h2 class="title"><a name="COPYRIGHT">Copyright</a></h2>
-Copyright &copy; 2020-2023 by OpenPrinting.
+Copyright &copy; 2020-2024 by OpenPrinting.
</body>
</html>
diff --git a/man/client.conf.5 b/man/client.conf.5
index 54808c09f..56d6ec3ec 100644
--- a/man/client.conf.5
+++ b/man/client.conf.5
@@ -67,7 +67,7 @@ Specifies the address and optionally the port to use when connecting to the serv
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
.\"#SSLOptions
.TP 5
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR]
.TP 5
\fBSSLOptions None\fR
Sets encryption options (only in /etc/cups/client.conf).
@@ -81,6 +81,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites.
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
The \fIMinTLS\fR options set the minimum TLS version to support.
The \fIMaxTLS\fR options set the maximum TLS version to support.
+The \fINoSystem\fR option disables applying system cryptographic policy.
Not all operating systems support TLS 1.3 at this time.
.\"#TrustOnFirstUse
.TP 5
diff --git a/man/cupsd.conf.5 b/man/cupsd.conf.5
index fd5762dfd..4e1a7ca81 100644
--- a/man/cupsd.conf.5
+++ b/man/cupsd.conf.5
@@ -447,7 +447,7 @@ Listens on the specified address and port for encrypted connections.
.\"#SSLOptions
.TP 5
.TP 5
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR]
.TP 5
\fBSSLOptions None\fR
Sets encryption options (only in /etc/cups/client.conf).
@@ -461,6 +461,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites.
The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
The \fIMinTLS\fR options set the minimum TLS version to support.
The \fIMaxTLS\fR options set the maximum TLS version to support.
+The \fINoSystem\fR option disables applying system cryptographic policy.
Not all operating systems support TLS 1.3 at this time.
.\"#SSLPort
.TP 5
diff --git a/scheduler/conf.c b/scheduler/conf.c
index 3184d72f0..3bf176479 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3054,6 +3054,8 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */
min_version = _HTTP_TLS_1_3;
else if (!_cups_strcasecmp(start, "None"))
options = _HTTP_TLS_NONE;
+ else if (!_cups_strcasecmp(start, "NoSystem"))
+ options |= _HTTP_TLS_NO_SYSTEM;
else if (_cups_strcasecmp(start, "NoEmptyFragments"))
cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum);
}
--
2.47.1

12
cups.spec
View File

@ -22,7 +22,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 2.4.10
Release: 10%{?dist}
Release: 11%{?dist}
# backend/failover.c - BSD-3-Clause
# cups/md5* - Zlib
# scheduler/colorman.c - Apache-2.0 WITH LLVM-exception AND BSD-2-Clause
@ -100,8 +100,11 @@ Patch1009: 0001-fix-warnings-for-unused-vars.patch
Patch1010: 0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch
# RHEL-69638 IPP Everywhere permanent queue is not removed if PPD generation fails
Patch1011: 0001-scheduler-Clean-up-failed-IPP-Everywhere-permanent-q.patch
# RHEL-68415 Inability to disable weak ciphers in CUPS configuration
# RHEL-68415 Inability to disable weak ciphers in CUPS configuration:
# 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch
# 0001-Add-NoSystem-SSLOptions-value.patch
Patch1012: 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch
Patch1013: 0001-Add-NoSystem-SSLOptions-value.patch
##### Patches removed because IMHO they aren't no longer needed
@ -357,6 +360,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch -P 1011 -p1 -b .clean-failed-eve
# RHEL-68415 Inability to disable weak ciphers in CUPS configuration
%patch -P 1012 -p1 -b .tls-system-policy
# give a way how to opt-out from crypto policy
%patch -P 1013 -p1 -b .nosystem-ssloption
# Log to the system journal by default (bug #1078781, bug #1519331).
@ -826,6 +831,9 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz
%changelog
* Tue Jan 07 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.4.10-11
- provide a way how to opt-out from system crypto policy if needed
* Fri Dec 06 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.4.10-10
- RHEL-68415 Inability to disable weak ciphers in CUPS configuration